Print this page
5007142 Add ntohll and htonll to sys/byteorder.h
6717509 Need to use bswap/bswapq for byte swap of 64-bit integer on x32/x64
PSARC 2008/474
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/common/crypto/sha2/sha2.c
+++ new/usr/src/common/crypto/sha2/sha2.c
1 1 /*
2 2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
3 3 * Use is subject to license terms.
4 4 */
5 5
6 -#pragma ident "%Z%%M% %I% %E% SMI"
7 -
8 6 /*
9 7 * The basic framework for this code came from the reference
10 8 * implementation for MD5. That implementation is Copyright (C)
11 9 * 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.
12 10 *
13 11 * License to copy and use this software is granted provided that it
14 12 * is identified as the "RSA Data Security, Inc. MD5 Message-Digest
15 13 * Algorithm" in all material mentioning or referencing this software
16 14 * or this function.
17 15 *
18 16 * License is also granted to make and use derivative works provided
19 17 * that such works are identified as "derived from the RSA Data
20 18 * Security, Inc. MD5 Message-Digest Algorithm" in all material
21 19 * mentioning or referencing the derived work.
|
↓ open down ↓ |
4 lines elided |
↑ open up ↑ |
22 20 *
23 21 * RSA Data Security, Inc. makes no representations concerning either
24 22 * the merchantability of this software or the suitability of this
25 23 * software for any particular purpose. It is provided "as is"
26 24 * without express or implied warranty of any kind.
27 25 *
28 26 * These notices must be retained in any copies of any part of this
29 27 * documentation and/or software.
30 28 *
31 29 * NOTE: Cleaned-up and optimized, version of SHA2, based on the FIPS 180-2
32 - * standard, available at http://www.itl.nist.gov/div897/pubs/fip180-2.htm
30 + * standard, available at
31 + * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
33 32 * Not as fast as one would like -- further optimizations are encouraged
34 33 * and appreciated.
35 34 */
36 35
37 36 #include <sys/types.h>
38 37 #include <sys/param.h>
39 38 #include <sys/systm.h>
40 39 #include <sys/sysmacros.h>
41 40 #define _SHA2_IMPL
42 41 #include <sys/sha2.h>
43 42 #include <sys/sha2_consts.h>
44 43
45 44 #ifdef _KERNEL
46 45 #include <sys/cmn_err.h>
47 46
48 47 #else
49 48 #include <strings.h>
50 49 #include <stdlib.h>
51 50 #include <errno.h>
52 51
|
↓ open down ↓ |
10 lines elided |
↑ open up ↑ |
53 52 #pragma weak SHA256Update = SHA2Update
54 53 #pragma weak SHA384Update = SHA2Update
55 54 #pragma weak SHA512Update = SHA2Update
56 55
57 56 #pragma weak SHA256Final = SHA2Final
58 57 #pragma weak SHA384Final = SHA2Final
59 58 #pragma weak SHA512Final = SHA2Final
60 59
61 60 #endif /* _KERNEL */
62 61
62 +#ifdef _LITTLE_ENDIAN
63 +#include <sys/byteorder.h>
64 +#define HAVE_HTONL
65 +#endif
66 +
63 67 static void Encode(uint8_t *, uint32_t *, size_t);
64 68 static void Encode64(uint8_t *, uint64_t *, size_t);
65 69
66 70 #if defined(__amd64)
67 71 #define SHA512Transform(ctx, in) SHA512TransformBlocks((ctx), (in), 1)
68 72 #define SHA256Transform(ctx, in) SHA256TransformBlocks((ctx), (in), 1)
69 73
70 74 void SHA512TransformBlocks(SHA2_CTX *ctx, const void *in, size_t num);
71 75 void SHA256TransformBlocks(SHA2_CTX *ctx, const void *in, size_t num);
72 76
73 77 #else
74 78 static void SHA256Transform(SHA2_CTX *, const uint8_t *);
75 79 static void SHA512Transform(SHA2_CTX *, const uint8_t *);
76 80 #endif /* __amd64 */
77 81
78 82 static uint8_t PADDING[128] = { 0x80, /* all zeros */ };
79 83
80 84 /* Ch and Maj are the basic SHA2 functions. */
81 85 #define Ch(b, c, d) (((b) & (c)) ^ ((~b) & (d)))
82 86 #define Maj(b, c, d) (((b) & (c)) ^ ((b) & (d)) ^ ((c) & (d)))
83 87
84 88 /* Rotates x right n bits. */
85 89 #define ROTR(x, n) \
86 90 (((x) >> (n)) | ((x) << ((sizeof (x) * NBBY)-(n))))
87 91
88 92 /* Shift x right n bits */
89 93 #define SHR(x, n) ((x) >> (n))
90 94
91 95 /* SHA256 Functions */
92 96 #define BIGSIGMA0_256(x) (ROTR((x), 2) ^ ROTR((x), 13) ^ ROTR((x), 22))
93 97 #define BIGSIGMA1_256(x) (ROTR((x), 6) ^ ROTR((x), 11) ^ ROTR((x), 25))
94 98 #define SIGMA0_256(x) (ROTR((x), 7) ^ ROTR((x), 18) ^ SHR((x), 3))
95 99 #define SIGMA1_256(x) (ROTR((x), 17) ^ ROTR((x), 19) ^ SHR((x), 10))
96 100
97 101 #define SHA256ROUND(a, b, c, d, e, f, g, h, i, w) \
98 102 T1 = h + BIGSIGMA1_256(e) + Ch(e, f, g) + SHA256_CONST(i) + w; \
99 103 d += T1; \
100 104 T2 = BIGSIGMA0_256(a) + Maj(a, b, c); \
101 105 h = T1 + T2
102 106
103 107 /* SHA384/512 Functions */
104 108 #define BIGSIGMA0(x) (ROTR((x), 28) ^ ROTR((x), 34) ^ ROTR((x), 39))
105 109 #define BIGSIGMA1(x) (ROTR((x), 14) ^ ROTR((x), 18) ^ ROTR((x), 41))
106 110 #define SIGMA0(x) (ROTR((x), 1) ^ ROTR((x), 8) ^ SHR((x), 7))
107 111 #define SIGMA1(x) (ROTR((x), 19) ^ ROTR((x), 61) ^ SHR((x), 6))
108 112 #define SHA512ROUND(a, b, c, d, e, f, g, h, i, w) \
109 113 T1 = h + BIGSIGMA1(e) + Ch(e, f, g) + SHA512_CONST(i) + w; \
110 114 d += T1; \
111 115 T2 = BIGSIGMA0(a) + Maj(a, b, c); \
112 116 h = T1 + T2
113 117
|
↓ open down ↓ |
41 lines elided |
↑ open up ↑ |
114 118 /*
115 119 * sparc optimization:
116 120 *
117 121 * on the sparc, we can load big endian 32-bit data easily. note that
118 122 * special care must be taken to ensure the address is 32-bit aligned.
119 123 * in the interest of speed, we don't check to make sure, since
120 124 * careful programming can guarantee this for us.
121 125 */
122 126
123 127 #if defined(_BIG_ENDIAN)
124 -
125 128 #define LOAD_BIG_32(addr) (*(uint32_t *)(addr))
129 +#define LOAD_BIG_64(addr) (*(uint64_t *)(addr))
126 130
127 -#else /* little endian -- will work on big endian, but slowly */
131 +#elif defined(HAVE_HTONL)
132 +#define LOAD_BIG_32(addr) htonl(*((uint32_t *)(addr)))
133 +#define LOAD_BIG_64(addr) htonll(*((uint64_t *)(addr)))
128 134
135 +#else
136 +/* little endian -- will work on big endian, but slowly */
129 137 #define LOAD_BIG_32(addr) \
130 138 (((addr)[0] << 24) | ((addr)[1] << 16) | ((addr)[2] << 8) | (addr)[3])
131 -#endif
132 -
133 -
134 -#if defined(_BIG_ENDIAN)
135 -
136 -#define LOAD_BIG_64(addr) (*(uint64_t *)(addr))
137 -
138 -#else /* little endian -- will work on big endian, but slowly */
139 -
140 139 #define LOAD_BIG_64(addr) \
141 140 (((uint64_t)(addr)[0] << 56) | ((uint64_t)(addr)[1] << 48) | \
142 141 ((uint64_t)(addr)[2] << 40) | ((uint64_t)(addr)[3] << 32) | \
143 142 ((uint64_t)(addr)[4] << 24) | ((uint64_t)(addr)[5] << 16) | \
144 143 ((uint64_t)(addr)[6] << 8) | (uint64_t)(addr)[7])
145 -#endif
144 +#endif /* _BIG_ENDIAN */
146 145
147 146
148 147 #if !defined(__amd64)
149 148 /* SHA256 Transform */
150 149
151 150 static void
152 151 SHA256Transform(SHA2_CTX *ctx, const uint8_t *blk)
153 152 {
154 153 uint32_t a = ctx->state.s32[0];
155 154 uint32_t b = ctx->state.s32[1];
156 155 uint32_t c = ctx->state.s32[2];
157 156 uint32_t d = ctx->state.s32[3];
158 157 uint32_t e = ctx->state.s32[4];
159 158 uint32_t f = ctx->state.s32[5];
160 159 uint32_t g = ctx->state.s32[6];
161 160 uint32_t h = ctx->state.s32[7];
162 161
163 162 uint32_t w0, w1, w2, w3, w4, w5, w6, w7;
164 163 uint32_t w8, w9, w10, w11, w12, w13, w14, w15;
165 164 uint32_t T1, T2;
166 165
167 166 #if defined(__sparc)
168 167 static const uint32_t sha256_consts[] = {
169 168 SHA256_CONST_0, SHA256_CONST_1, SHA256_CONST_2,
170 169 SHA256_CONST_3, SHA256_CONST_4, SHA256_CONST_5,
171 170 SHA256_CONST_6, SHA256_CONST_7, SHA256_CONST_8,
172 171 SHA256_CONST_9, SHA256_CONST_10, SHA256_CONST_11,
173 172 SHA256_CONST_12, SHA256_CONST_13, SHA256_CONST_14,
174 173 SHA256_CONST_15, SHA256_CONST_16, SHA256_CONST_17,
175 174 SHA256_CONST_18, SHA256_CONST_19, SHA256_CONST_20,
176 175 SHA256_CONST_21, SHA256_CONST_22, SHA256_CONST_23,
177 176 SHA256_CONST_24, SHA256_CONST_25, SHA256_CONST_26,
178 177 SHA256_CONST_27, SHA256_CONST_28, SHA256_CONST_29,
179 178 SHA256_CONST_30, SHA256_CONST_31, SHA256_CONST_32,
180 179 SHA256_CONST_33, SHA256_CONST_34, SHA256_CONST_35,
181 180 SHA256_CONST_36, SHA256_CONST_37, SHA256_CONST_38,
182 181 SHA256_CONST_39, SHA256_CONST_40, SHA256_CONST_41,
183 182 SHA256_CONST_42, SHA256_CONST_43, SHA256_CONST_44,
184 183 SHA256_CONST_45, SHA256_CONST_46, SHA256_CONST_47,
185 184 SHA256_CONST_48, SHA256_CONST_49, SHA256_CONST_50,
186 185 SHA256_CONST_51, SHA256_CONST_52, SHA256_CONST_53,
187 186 SHA256_CONST_54, SHA256_CONST_55, SHA256_CONST_56,
188 187 SHA256_CONST_57, SHA256_CONST_58, SHA256_CONST_59,
189 188 SHA256_CONST_60, SHA256_CONST_61, SHA256_CONST_62,
190 189 SHA256_CONST_63
191 190 };
192 191 #endif /* __sparc */
193 192
194 193 if ((uintptr_t)blk & 0x3) { /* not 4-byte aligned? */
195 194 bcopy(blk, ctx->buf_un.buf32, sizeof (ctx->buf_un.buf32));
196 195 blk = (uint8_t *)ctx->buf_un.buf32;
197 196 }
198 197
199 198 /* LINTED E_BAD_PTR_CAST_ALIGN */
200 199 w0 = LOAD_BIG_32(blk + 4 * 0);
201 200 SHA256ROUND(a, b, c, d, e, f, g, h, 0, w0);
202 201 /* LINTED E_BAD_PTR_CAST_ALIGN */
203 202 w1 = LOAD_BIG_32(blk + 4 * 1);
204 203 SHA256ROUND(h, a, b, c, d, e, f, g, 1, w1);
205 204 /* LINTED E_BAD_PTR_CAST_ALIGN */
206 205 w2 = LOAD_BIG_32(blk + 4 * 2);
207 206 SHA256ROUND(g, h, a, b, c, d, e, f, 2, w2);
208 207 /* LINTED E_BAD_PTR_CAST_ALIGN */
209 208 w3 = LOAD_BIG_32(blk + 4 * 3);
210 209 SHA256ROUND(f, g, h, a, b, c, d, e, 3, w3);
211 210 /* LINTED E_BAD_PTR_CAST_ALIGN */
212 211 w4 = LOAD_BIG_32(blk + 4 * 4);
213 212 SHA256ROUND(e, f, g, h, a, b, c, d, 4, w4);
214 213 /* LINTED E_BAD_PTR_CAST_ALIGN */
215 214 w5 = LOAD_BIG_32(blk + 4 * 5);
216 215 SHA256ROUND(d, e, f, g, h, a, b, c, 5, w5);
217 216 /* LINTED E_BAD_PTR_CAST_ALIGN */
218 217 w6 = LOAD_BIG_32(blk + 4 * 6);
219 218 SHA256ROUND(c, d, e, f, g, h, a, b, 6, w6);
220 219 /* LINTED E_BAD_PTR_CAST_ALIGN */
221 220 w7 = LOAD_BIG_32(blk + 4 * 7);
222 221 SHA256ROUND(b, c, d, e, f, g, h, a, 7, w7);
223 222 /* LINTED E_BAD_PTR_CAST_ALIGN */
224 223 w8 = LOAD_BIG_32(blk + 4 * 8);
225 224 SHA256ROUND(a, b, c, d, e, f, g, h, 8, w8);
226 225 /* LINTED E_BAD_PTR_CAST_ALIGN */
227 226 w9 = LOAD_BIG_32(blk + 4 * 9);
228 227 SHA256ROUND(h, a, b, c, d, e, f, g, 9, w9);
229 228 /* LINTED E_BAD_PTR_CAST_ALIGN */
230 229 w10 = LOAD_BIG_32(blk + 4 * 10);
231 230 SHA256ROUND(g, h, a, b, c, d, e, f, 10, w10);
232 231 /* LINTED E_BAD_PTR_CAST_ALIGN */
233 232 w11 = LOAD_BIG_32(blk + 4 * 11);
234 233 SHA256ROUND(f, g, h, a, b, c, d, e, 11, w11);
235 234 /* LINTED E_BAD_PTR_CAST_ALIGN */
236 235 w12 = LOAD_BIG_32(blk + 4 * 12);
237 236 SHA256ROUND(e, f, g, h, a, b, c, d, 12, w12);
238 237 /* LINTED E_BAD_PTR_CAST_ALIGN */
239 238 w13 = LOAD_BIG_32(blk + 4 * 13);
240 239 SHA256ROUND(d, e, f, g, h, a, b, c, 13, w13);
241 240 /* LINTED E_BAD_PTR_CAST_ALIGN */
242 241 w14 = LOAD_BIG_32(blk + 4 * 14);
243 242 SHA256ROUND(c, d, e, f, g, h, a, b, 14, w14);
244 243 /* LINTED E_BAD_PTR_CAST_ALIGN */
245 244 w15 = LOAD_BIG_32(blk + 4 * 15);
246 245 SHA256ROUND(b, c, d, e, f, g, h, a, 15, w15);
247 246
248 247 w0 = SIGMA1_256(w14) + w9 + SIGMA0_256(w1) + w0;
249 248 SHA256ROUND(a, b, c, d, e, f, g, h, 16, w0);
250 249 w1 = SIGMA1_256(w15) + w10 + SIGMA0_256(w2) + w1;
251 250 SHA256ROUND(h, a, b, c, d, e, f, g, 17, w1);
252 251 w2 = SIGMA1_256(w0) + w11 + SIGMA0_256(w3) + w2;
253 252 SHA256ROUND(g, h, a, b, c, d, e, f, 18, w2);
254 253 w3 = SIGMA1_256(w1) + w12 + SIGMA0_256(w4) + w3;
255 254 SHA256ROUND(f, g, h, a, b, c, d, e, 19, w3);
256 255 w4 = SIGMA1_256(w2) + w13 + SIGMA0_256(w5) + w4;
257 256 SHA256ROUND(e, f, g, h, a, b, c, d, 20, w4);
258 257 w5 = SIGMA1_256(w3) + w14 + SIGMA0_256(w6) + w5;
259 258 SHA256ROUND(d, e, f, g, h, a, b, c, 21, w5);
260 259 w6 = SIGMA1_256(w4) + w15 + SIGMA0_256(w7) + w6;
261 260 SHA256ROUND(c, d, e, f, g, h, a, b, 22, w6);
262 261 w7 = SIGMA1_256(w5) + w0 + SIGMA0_256(w8) + w7;
263 262 SHA256ROUND(b, c, d, e, f, g, h, a, 23, w7);
264 263 w8 = SIGMA1_256(w6) + w1 + SIGMA0_256(w9) + w8;
265 264 SHA256ROUND(a, b, c, d, e, f, g, h, 24, w8);
266 265 w9 = SIGMA1_256(w7) + w2 + SIGMA0_256(w10) + w9;
267 266 SHA256ROUND(h, a, b, c, d, e, f, g, 25, w9);
268 267 w10 = SIGMA1_256(w8) + w3 + SIGMA0_256(w11) + w10;
269 268 SHA256ROUND(g, h, a, b, c, d, e, f, 26, w10);
270 269 w11 = SIGMA1_256(w9) + w4 + SIGMA0_256(w12) + w11;
271 270 SHA256ROUND(f, g, h, a, b, c, d, e, 27, w11);
272 271 w12 = SIGMA1_256(w10) + w5 + SIGMA0_256(w13) + w12;
273 272 SHA256ROUND(e, f, g, h, a, b, c, d, 28, w12);
274 273 w13 = SIGMA1_256(w11) + w6 + SIGMA0_256(w14) + w13;
275 274 SHA256ROUND(d, e, f, g, h, a, b, c, 29, w13);
276 275 w14 = SIGMA1_256(w12) + w7 + SIGMA0_256(w15) + w14;
277 276 SHA256ROUND(c, d, e, f, g, h, a, b, 30, w14);
278 277 w15 = SIGMA1_256(w13) + w8 + SIGMA0_256(w0) + w15;
279 278 SHA256ROUND(b, c, d, e, f, g, h, a, 31, w15);
280 279
281 280 w0 = SIGMA1_256(w14) + w9 + SIGMA0_256(w1) + w0;
282 281 SHA256ROUND(a, b, c, d, e, f, g, h, 32, w0);
283 282 w1 = SIGMA1_256(w15) + w10 + SIGMA0_256(w2) + w1;
284 283 SHA256ROUND(h, a, b, c, d, e, f, g, 33, w1);
285 284 w2 = SIGMA1_256(w0) + w11 + SIGMA0_256(w3) + w2;
286 285 SHA256ROUND(g, h, a, b, c, d, e, f, 34, w2);
287 286 w3 = SIGMA1_256(w1) + w12 + SIGMA0_256(w4) + w3;
288 287 SHA256ROUND(f, g, h, a, b, c, d, e, 35, w3);
289 288 w4 = SIGMA1_256(w2) + w13 + SIGMA0_256(w5) + w4;
290 289 SHA256ROUND(e, f, g, h, a, b, c, d, 36, w4);
291 290 w5 = SIGMA1_256(w3) + w14 + SIGMA0_256(w6) + w5;
292 291 SHA256ROUND(d, e, f, g, h, a, b, c, 37, w5);
293 292 w6 = SIGMA1_256(w4) + w15 + SIGMA0_256(w7) + w6;
294 293 SHA256ROUND(c, d, e, f, g, h, a, b, 38, w6);
295 294 w7 = SIGMA1_256(w5) + w0 + SIGMA0_256(w8) + w7;
296 295 SHA256ROUND(b, c, d, e, f, g, h, a, 39, w7);
297 296 w8 = SIGMA1_256(w6) + w1 + SIGMA0_256(w9) + w8;
298 297 SHA256ROUND(a, b, c, d, e, f, g, h, 40, w8);
299 298 w9 = SIGMA1_256(w7) + w2 + SIGMA0_256(w10) + w9;
300 299 SHA256ROUND(h, a, b, c, d, e, f, g, 41, w9);
301 300 w10 = SIGMA1_256(w8) + w3 + SIGMA0_256(w11) + w10;
302 301 SHA256ROUND(g, h, a, b, c, d, e, f, 42, w10);
303 302 w11 = SIGMA1_256(w9) + w4 + SIGMA0_256(w12) + w11;
304 303 SHA256ROUND(f, g, h, a, b, c, d, e, 43, w11);
305 304 w12 = SIGMA1_256(w10) + w5 + SIGMA0_256(w13) + w12;
306 305 SHA256ROUND(e, f, g, h, a, b, c, d, 44, w12);
307 306 w13 = SIGMA1_256(w11) + w6 + SIGMA0_256(w14) + w13;
308 307 SHA256ROUND(d, e, f, g, h, a, b, c, 45, w13);
309 308 w14 = SIGMA1_256(w12) + w7 + SIGMA0_256(w15) + w14;
310 309 SHA256ROUND(c, d, e, f, g, h, a, b, 46, w14);
311 310 w15 = SIGMA1_256(w13) + w8 + SIGMA0_256(w0) + w15;
312 311 SHA256ROUND(b, c, d, e, f, g, h, a, 47, w15);
313 312
314 313 w0 = SIGMA1_256(w14) + w9 + SIGMA0_256(w1) + w0;
315 314 SHA256ROUND(a, b, c, d, e, f, g, h, 48, w0);
316 315 w1 = SIGMA1_256(w15) + w10 + SIGMA0_256(w2) + w1;
317 316 SHA256ROUND(h, a, b, c, d, e, f, g, 49, w1);
318 317 w2 = SIGMA1_256(w0) + w11 + SIGMA0_256(w3) + w2;
319 318 SHA256ROUND(g, h, a, b, c, d, e, f, 50, w2);
320 319 w3 = SIGMA1_256(w1) + w12 + SIGMA0_256(w4) + w3;
321 320 SHA256ROUND(f, g, h, a, b, c, d, e, 51, w3);
322 321 w4 = SIGMA1_256(w2) + w13 + SIGMA0_256(w5) + w4;
323 322 SHA256ROUND(e, f, g, h, a, b, c, d, 52, w4);
324 323 w5 = SIGMA1_256(w3) + w14 + SIGMA0_256(w6) + w5;
325 324 SHA256ROUND(d, e, f, g, h, a, b, c, 53, w5);
326 325 w6 = SIGMA1_256(w4) + w15 + SIGMA0_256(w7) + w6;
327 326 SHA256ROUND(c, d, e, f, g, h, a, b, 54, w6);
328 327 w7 = SIGMA1_256(w5) + w0 + SIGMA0_256(w8) + w7;
329 328 SHA256ROUND(b, c, d, e, f, g, h, a, 55, w7);
330 329 w8 = SIGMA1_256(w6) + w1 + SIGMA0_256(w9) + w8;
331 330 SHA256ROUND(a, b, c, d, e, f, g, h, 56, w8);
332 331 w9 = SIGMA1_256(w7) + w2 + SIGMA0_256(w10) + w9;
333 332 SHA256ROUND(h, a, b, c, d, e, f, g, 57, w9);
334 333 w10 = SIGMA1_256(w8) + w3 + SIGMA0_256(w11) + w10;
335 334 SHA256ROUND(g, h, a, b, c, d, e, f, 58, w10);
336 335 w11 = SIGMA1_256(w9) + w4 + SIGMA0_256(w12) + w11;
337 336 SHA256ROUND(f, g, h, a, b, c, d, e, 59, w11);
338 337 w12 = SIGMA1_256(w10) + w5 + SIGMA0_256(w13) + w12;
339 338 SHA256ROUND(e, f, g, h, a, b, c, d, 60, w12);
340 339 w13 = SIGMA1_256(w11) + w6 + SIGMA0_256(w14) + w13;
341 340 SHA256ROUND(d, e, f, g, h, a, b, c, 61, w13);
342 341 w14 = SIGMA1_256(w12) + w7 + SIGMA0_256(w15) + w14;
343 342 SHA256ROUND(c, d, e, f, g, h, a, b, 62, w14);
344 343 w15 = SIGMA1_256(w13) + w8 + SIGMA0_256(w0) + w15;
345 344 SHA256ROUND(b, c, d, e, f, g, h, a, 63, w15);
346 345
347 346 ctx->state.s32[0] += a;
348 347 ctx->state.s32[1] += b;
349 348 ctx->state.s32[2] += c;
350 349 ctx->state.s32[3] += d;
351 350 ctx->state.s32[4] += e;
352 351 ctx->state.s32[5] += f;
353 352 ctx->state.s32[6] += g;
354 353 ctx->state.s32[7] += h;
355 354 }
356 355
357 356
358 357 /* SHA384 and SHA512 Transform */
359 358
360 359 static void
361 360 SHA512Transform(SHA2_CTX *ctx, const uint8_t *blk)
362 361 {
363 362
364 363 uint64_t a = ctx->state.s64[0];
365 364 uint64_t b = ctx->state.s64[1];
366 365 uint64_t c = ctx->state.s64[2];
367 366 uint64_t d = ctx->state.s64[3];
368 367 uint64_t e = ctx->state.s64[4];
369 368 uint64_t f = ctx->state.s64[5];
370 369 uint64_t g = ctx->state.s64[6];
371 370 uint64_t h = ctx->state.s64[7];
372 371
373 372 uint64_t w0, w1, w2, w3, w4, w5, w6, w7;
374 373 uint64_t w8, w9, w10, w11, w12, w13, w14, w15;
375 374 uint64_t T1, T2;
376 375
377 376 #if defined(__sparc)
378 377 static const uint64_t sha512_consts[] = {
379 378 SHA512_CONST_0, SHA512_CONST_1, SHA512_CONST_2,
380 379 SHA512_CONST_3, SHA512_CONST_4, SHA512_CONST_5,
381 380 SHA512_CONST_6, SHA512_CONST_7, SHA512_CONST_8,
382 381 SHA512_CONST_9, SHA512_CONST_10, SHA512_CONST_11,
383 382 SHA512_CONST_12, SHA512_CONST_13, SHA512_CONST_14,
384 383 SHA512_CONST_15, SHA512_CONST_16, SHA512_CONST_17,
385 384 SHA512_CONST_18, SHA512_CONST_19, SHA512_CONST_20,
386 385 SHA512_CONST_21, SHA512_CONST_22, SHA512_CONST_23,
387 386 SHA512_CONST_24, SHA512_CONST_25, SHA512_CONST_26,
388 387 SHA512_CONST_27, SHA512_CONST_28, SHA512_CONST_29,
389 388 SHA512_CONST_30, SHA512_CONST_31, SHA512_CONST_32,
390 389 SHA512_CONST_33, SHA512_CONST_34, SHA512_CONST_35,
391 390 SHA512_CONST_36, SHA512_CONST_37, SHA512_CONST_38,
392 391 SHA512_CONST_39, SHA512_CONST_40, SHA512_CONST_41,
393 392 SHA512_CONST_42, SHA512_CONST_43, SHA512_CONST_44,
394 393 SHA512_CONST_45, SHA512_CONST_46, SHA512_CONST_47,
395 394 SHA512_CONST_48, SHA512_CONST_49, SHA512_CONST_50,
396 395 SHA512_CONST_51, SHA512_CONST_52, SHA512_CONST_53,
397 396 SHA512_CONST_54, SHA512_CONST_55, SHA512_CONST_56,
398 397 SHA512_CONST_57, SHA512_CONST_58, SHA512_CONST_59,
399 398 SHA512_CONST_60, SHA512_CONST_61, SHA512_CONST_62,
400 399 SHA512_CONST_63, SHA512_CONST_64, SHA512_CONST_65,
401 400 SHA512_CONST_66, SHA512_CONST_67, SHA512_CONST_68,
402 401 SHA512_CONST_69, SHA512_CONST_70, SHA512_CONST_71,
403 402 SHA512_CONST_72, SHA512_CONST_73, SHA512_CONST_74,
404 403 SHA512_CONST_75, SHA512_CONST_76, SHA512_CONST_77,
405 404 SHA512_CONST_78, SHA512_CONST_79
406 405 };
407 406 #endif /* __sparc */
408 407
409 408
410 409 if ((uintptr_t)blk & 0x7) { /* not 8-byte aligned? */
411 410 bcopy(blk, ctx->buf_un.buf64, sizeof (ctx->buf_un.buf64));
412 411 blk = (uint8_t *)ctx->buf_un.buf64;
413 412 }
414 413
415 414 /* LINTED E_BAD_PTR_CAST_ALIGN */
416 415 w0 = LOAD_BIG_64(blk + 8 * 0);
417 416 SHA512ROUND(a, b, c, d, e, f, g, h, 0, w0);
418 417 /* LINTED E_BAD_PTR_CAST_ALIGN */
419 418 w1 = LOAD_BIG_64(blk + 8 * 1);
420 419 SHA512ROUND(h, a, b, c, d, e, f, g, 1, w1);
421 420 /* LINTED E_BAD_PTR_CAST_ALIGN */
422 421 w2 = LOAD_BIG_64(blk + 8 * 2);
423 422 SHA512ROUND(g, h, a, b, c, d, e, f, 2, w2);
424 423 /* LINTED E_BAD_PTR_CAST_ALIGN */
425 424 w3 = LOAD_BIG_64(blk + 8 * 3);
426 425 SHA512ROUND(f, g, h, a, b, c, d, e, 3, w3);
427 426 /* LINTED E_BAD_PTR_CAST_ALIGN */
428 427 w4 = LOAD_BIG_64(blk + 8 * 4);
429 428 SHA512ROUND(e, f, g, h, a, b, c, d, 4, w4);
430 429 /* LINTED E_BAD_PTR_CAST_ALIGN */
431 430 w5 = LOAD_BIG_64(blk + 8 * 5);
432 431 SHA512ROUND(d, e, f, g, h, a, b, c, 5, w5);
433 432 /* LINTED E_BAD_PTR_CAST_ALIGN */
434 433 w6 = LOAD_BIG_64(blk + 8 * 6);
435 434 SHA512ROUND(c, d, e, f, g, h, a, b, 6, w6);
436 435 /* LINTED E_BAD_PTR_CAST_ALIGN */
437 436 w7 = LOAD_BIG_64(blk + 8 * 7);
438 437 SHA512ROUND(b, c, d, e, f, g, h, a, 7, w7);
439 438 /* LINTED E_BAD_PTR_CAST_ALIGN */
440 439 w8 = LOAD_BIG_64(blk + 8 * 8);
441 440 SHA512ROUND(a, b, c, d, e, f, g, h, 8, w8);
442 441 /* LINTED E_BAD_PTR_CAST_ALIGN */
443 442 w9 = LOAD_BIG_64(blk + 8 * 9);
444 443 SHA512ROUND(h, a, b, c, d, e, f, g, 9, w9);
445 444 /* LINTED E_BAD_PTR_CAST_ALIGN */
446 445 w10 = LOAD_BIG_64(blk + 8 * 10);
447 446 SHA512ROUND(g, h, a, b, c, d, e, f, 10, w10);
448 447 /* LINTED E_BAD_PTR_CAST_ALIGN */
449 448 w11 = LOAD_BIG_64(blk + 8 * 11);
450 449 SHA512ROUND(f, g, h, a, b, c, d, e, 11, w11);
451 450 /* LINTED E_BAD_PTR_CAST_ALIGN */
452 451 w12 = LOAD_BIG_64(blk + 8 * 12);
453 452 SHA512ROUND(e, f, g, h, a, b, c, d, 12, w12);
454 453 /* LINTED E_BAD_PTR_CAST_ALIGN */
455 454 w13 = LOAD_BIG_64(blk + 8 * 13);
456 455 SHA512ROUND(d, e, f, g, h, a, b, c, 13, w13);
457 456 /* LINTED E_BAD_PTR_CAST_ALIGN */
458 457 w14 = LOAD_BIG_64(blk + 8 * 14);
459 458 SHA512ROUND(c, d, e, f, g, h, a, b, 14, w14);
460 459 /* LINTED E_BAD_PTR_CAST_ALIGN */
461 460 w15 = LOAD_BIG_64(blk + 8 * 15);
462 461 SHA512ROUND(b, c, d, e, f, g, h, a, 15, w15);
463 462
464 463 w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0;
465 464 SHA512ROUND(a, b, c, d, e, f, g, h, 16, w0);
466 465 w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1;
467 466 SHA512ROUND(h, a, b, c, d, e, f, g, 17, w1);
468 467 w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2;
469 468 SHA512ROUND(g, h, a, b, c, d, e, f, 18, w2);
470 469 w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3;
471 470 SHA512ROUND(f, g, h, a, b, c, d, e, 19, w3);
472 471 w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4;
473 472 SHA512ROUND(e, f, g, h, a, b, c, d, 20, w4);
474 473 w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5;
475 474 SHA512ROUND(d, e, f, g, h, a, b, c, 21, w5);
476 475 w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6;
477 476 SHA512ROUND(c, d, e, f, g, h, a, b, 22, w6);
478 477 w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7;
479 478 SHA512ROUND(b, c, d, e, f, g, h, a, 23, w7);
480 479 w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8;
481 480 SHA512ROUND(a, b, c, d, e, f, g, h, 24, w8);
482 481 w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9;
483 482 SHA512ROUND(h, a, b, c, d, e, f, g, 25, w9);
484 483 w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10;
485 484 SHA512ROUND(g, h, a, b, c, d, e, f, 26, w10);
486 485 w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11;
487 486 SHA512ROUND(f, g, h, a, b, c, d, e, 27, w11);
488 487 w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12;
489 488 SHA512ROUND(e, f, g, h, a, b, c, d, 28, w12);
490 489 w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13;
491 490 SHA512ROUND(d, e, f, g, h, a, b, c, 29, w13);
492 491 w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14;
493 492 SHA512ROUND(c, d, e, f, g, h, a, b, 30, w14);
494 493 w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15;
495 494 SHA512ROUND(b, c, d, e, f, g, h, a, 31, w15);
496 495
497 496 w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0;
498 497 SHA512ROUND(a, b, c, d, e, f, g, h, 32, w0);
499 498 w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1;
500 499 SHA512ROUND(h, a, b, c, d, e, f, g, 33, w1);
501 500 w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2;
502 501 SHA512ROUND(g, h, a, b, c, d, e, f, 34, w2);
503 502 w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3;
504 503 SHA512ROUND(f, g, h, a, b, c, d, e, 35, w3);
505 504 w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4;
506 505 SHA512ROUND(e, f, g, h, a, b, c, d, 36, w4);
507 506 w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5;
508 507 SHA512ROUND(d, e, f, g, h, a, b, c, 37, w5);
509 508 w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6;
510 509 SHA512ROUND(c, d, e, f, g, h, a, b, 38, w6);
511 510 w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7;
512 511 SHA512ROUND(b, c, d, e, f, g, h, a, 39, w7);
513 512 w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8;
514 513 SHA512ROUND(a, b, c, d, e, f, g, h, 40, w8);
515 514 w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9;
516 515 SHA512ROUND(h, a, b, c, d, e, f, g, 41, w9);
517 516 w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10;
518 517 SHA512ROUND(g, h, a, b, c, d, e, f, 42, w10);
519 518 w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11;
520 519 SHA512ROUND(f, g, h, a, b, c, d, e, 43, w11);
521 520 w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12;
522 521 SHA512ROUND(e, f, g, h, a, b, c, d, 44, w12);
523 522 w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13;
524 523 SHA512ROUND(d, e, f, g, h, a, b, c, 45, w13);
525 524 w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14;
526 525 SHA512ROUND(c, d, e, f, g, h, a, b, 46, w14);
527 526 w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15;
528 527 SHA512ROUND(b, c, d, e, f, g, h, a, 47, w15);
529 528
530 529 w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0;
531 530 SHA512ROUND(a, b, c, d, e, f, g, h, 48, w0);
532 531 w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1;
533 532 SHA512ROUND(h, a, b, c, d, e, f, g, 49, w1);
534 533 w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2;
535 534 SHA512ROUND(g, h, a, b, c, d, e, f, 50, w2);
536 535 w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3;
537 536 SHA512ROUND(f, g, h, a, b, c, d, e, 51, w3);
538 537 w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4;
539 538 SHA512ROUND(e, f, g, h, a, b, c, d, 52, w4);
540 539 w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5;
541 540 SHA512ROUND(d, e, f, g, h, a, b, c, 53, w5);
542 541 w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6;
543 542 SHA512ROUND(c, d, e, f, g, h, a, b, 54, w6);
544 543 w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7;
545 544 SHA512ROUND(b, c, d, e, f, g, h, a, 55, w7);
546 545 w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8;
547 546 SHA512ROUND(a, b, c, d, e, f, g, h, 56, w8);
548 547 w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9;
549 548 SHA512ROUND(h, a, b, c, d, e, f, g, 57, w9);
550 549 w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10;
551 550 SHA512ROUND(g, h, a, b, c, d, e, f, 58, w10);
552 551 w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11;
553 552 SHA512ROUND(f, g, h, a, b, c, d, e, 59, w11);
554 553 w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12;
555 554 SHA512ROUND(e, f, g, h, a, b, c, d, 60, w12);
556 555 w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13;
557 556 SHA512ROUND(d, e, f, g, h, a, b, c, 61, w13);
558 557 w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14;
559 558 SHA512ROUND(c, d, e, f, g, h, a, b, 62, w14);
560 559 w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15;
561 560 SHA512ROUND(b, c, d, e, f, g, h, a, 63, w15);
562 561
563 562 w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0;
564 563 SHA512ROUND(a, b, c, d, e, f, g, h, 64, w0);
565 564 w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1;
566 565 SHA512ROUND(h, a, b, c, d, e, f, g, 65, w1);
567 566 w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2;
568 567 SHA512ROUND(g, h, a, b, c, d, e, f, 66, w2);
569 568 w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3;
570 569 SHA512ROUND(f, g, h, a, b, c, d, e, 67, w3);
571 570 w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4;
572 571 SHA512ROUND(e, f, g, h, a, b, c, d, 68, w4);
573 572 w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5;
574 573 SHA512ROUND(d, e, f, g, h, a, b, c, 69, w5);
575 574 w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6;
576 575 SHA512ROUND(c, d, e, f, g, h, a, b, 70, w6);
577 576 w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7;
578 577 SHA512ROUND(b, c, d, e, f, g, h, a, 71, w7);
579 578 w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8;
580 579 SHA512ROUND(a, b, c, d, e, f, g, h, 72, w8);
581 580 w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9;
582 581 SHA512ROUND(h, a, b, c, d, e, f, g, 73, w9);
583 582 w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10;
584 583 SHA512ROUND(g, h, a, b, c, d, e, f, 74, w10);
585 584 w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11;
586 585 SHA512ROUND(f, g, h, a, b, c, d, e, 75, w11);
587 586 w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12;
588 587 SHA512ROUND(e, f, g, h, a, b, c, d, 76, w12);
589 588 w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13;
590 589 SHA512ROUND(d, e, f, g, h, a, b, c, 77, w13);
591 590 w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14;
592 591 SHA512ROUND(c, d, e, f, g, h, a, b, 78, w14);
593 592 w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15;
594 593 SHA512ROUND(b, c, d, e, f, g, h, a, 79, w15);
595 594
596 595 ctx->state.s64[0] += a;
597 596 ctx->state.s64[1] += b;
598 597 ctx->state.s64[2] += c;
599 598 ctx->state.s64[3] += d;
600 599 ctx->state.s64[4] += e;
601 600 ctx->state.s64[5] += f;
602 601 ctx->state.s64[6] += g;
603 602 ctx->state.s64[7] += h;
604 603
605 604 }
606 605 #endif /* !__amd64 */
607 606
608 607
609 608 /*
610 609 * Encode()
611 610 *
612 611 * purpose: to convert a list of numbers from little endian to big endian
613 612 * input: uint8_t * : place to store the converted big endian numbers
614 613 * uint32_t * : place to get numbers to convert from
615 614 * size_t : the length of the input in bytes
616 615 * output: void
617 616 */
618 617
619 618 static void
620 619 Encode(uint8_t *_RESTRICT_KYWD output, uint32_t *_RESTRICT_KYWD input,
621 620 size_t len)
622 621 {
623 622 size_t i, j;
624 623
625 624 #if defined(__sparc)
626 625 if (IS_P2ALIGNED(output, sizeof (uint32_t))) {
627 626 for (i = 0, j = 0; j < len; i++, j += 4) {
628 627 /* LINTED: pointer alignment */
629 628 *((uint32_t *)(output + j)) = input[i];
630 629 }
631 630 } else {
632 631 #endif /* little endian -- will work on big endian, but slowly */
633 632 for (i = 0, j = 0; j < len; i++, j += 4) {
634 633 output[j] = (input[i] >> 24) & 0xff;
635 634 output[j + 1] = (input[i] >> 16) & 0xff;
636 635 output[j + 2] = (input[i] >> 8) & 0xff;
637 636 output[j + 3] = input[i] & 0xff;
638 637 }
639 638 #if defined(__sparc)
640 639 }
641 640 #endif
642 641 }
643 642
644 643 static void
645 644 Encode64(uint8_t *_RESTRICT_KYWD output, uint64_t *_RESTRICT_KYWD input,
646 645 size_t len)
647 646 {
648 647 size_t i, j;
649 648
650 649 #if defined(__sparc)
651 650 if (IS_P2ALIGNED(output, sizeof (uint64_t))) {
652 651 for (i = 0, j = 0; j < len; i++, j += 8) {
653 652 /* LINTED: pointer alignment */
654 653 *((uint64_t *)(output + j)) = input[i];
655 654 }
656 655 } else {
657 656 #endif /* little endian -- will work on big endian, but slowly */
658 657 for (i = 0, j = 0; j < len; i++, j += 8) {
659 658
660 659 output[j] = (input[i] >> 56) & 0xff;
661 660 output[j + 1] = (input[i] >> 48) & 0xff;
662 661 output[j + 2] = (input[i] >> 40) & 0xff;
663 662 output[j + 3] = (input[i] >> 32) & 0xff;
664 663 output[j + 4] = (input[i] >> 24) & 0xff;
665 664 output[j + 5] = (input[i] >> 16) & 0xff;
666 665 output[j + 6] = (input[i] >> 8) & 0xff;
667 666 output[j + 7] = input[i] & 0xff;
668 667 }
669 668 #if defined(__sparc)
670 669 }
671 670 #endif
672 671 }
673 672
674 673
675 674 void
676 675 SHA2Init(uint64_t mech, SHA2_CTX *ctx)
677 676 {
678 677
679 678 switch (mech) {
680 679 case SHA256_MECH_INFO_TYPE:
681 680 case SHA256_HMAC_MECH_INFO_TYPE:
682 681 case SHA256_HMAC_GEN_MECH_INFO_TYPE:
683 682 ctx->state.s32[0] = 0x6a09e667U;
684 683 ctx->state.s32[1] = 0xbb67ae85U;
685 684 ctx->state.s32[2] = 0x3c6ef372U;
686 685 ctx->state.s32[3] = 0xa54ff53aU;
687 686 ctx->state.s32[4] = 0x510e527fU;
688 687 ctx->state.s32[5] = 0x9b05688cU;
689 688 ctx->state.s32[6] = 0x1f83d9abU;
690 689 ctx->state.s32[7] = 0x5be0cd19U;
691 690 break;
692 691 case SHA384_MECH_INFO_TYPE:
693 692 case SHA384_HMAC_MECH_INFO_TYPE:
694 693 case SHA384_HMAC_GEN_MECH_INFO_TYPE:
695 694 ctx->state.s64[0] = 0xcbbb9d5dc1059ed8ULL;
696 695 ctx->state.s64[1] = 0x629a292a367cd507ULL;
697 696 ctx->state.s64[2] = 0x9159015a3070dd17ULL;
698 697 ctx->state.s64[3] = 0x152fecd8f70e5939ULL;
699 698 ctx->state.s64[4] = 0x67332667ffc00b31ULL;
700 699 ctx->state.s64[5] = 0x8eb44a8768581511ULL;
701 700 ctx->state.s64[6] = 0xdb0c2e0d64f98fa7ULL;
702 701 ctx->state.s64[7] = 0x47b5481dbefa4fa4ULL;
703 702 break;
704 703 case SHA512_MECH_INFO_TYPE:
705 704 case SHA512_HMAC_MECH_INFO_TYPE:
706 705 case SHA512_HMAC_GEN_MECH_INFO_TYPE:
707 706 ctx->state.s64[0] = 0x6a09e667f3bcc908ULL;
|
↓ open down ↓ |
552 lines elided |
↑ open up ↑ |
708 707 ctx->state.s64[1] = 0xbb67ae8584caa73bULL;
709 708 ctx->state.s64[2] = 0x3c6ef372fe94f82bULL;
710 709 ctx->state.s64[3] = 0xa54ff53a5f1d36f1ULL;
711 710 ctx->state.s64[4] = 0x510e527fade682d1ULL;
712 711 ctx->state.s64[5] = 0x9b05688c2b3e6c1fULL;
713 712 ctx->state.s64[6] = 0x1f83d9abfb41bd6bULL;
714 713 ctx->state.s64[7] = 0x5be0cd19137e2179ULL;
715 714 break;
716 715 #ifdef _KERNEL
717 716 default:
718 - cmn_err(CE_PANIC, "sha2_init: "
719 - "failed to find a supported algorithm: 0x%x",
717 + cmn_err(CE_PANIC,
718 + "sha2_init: failed to find a supported algorithm: 0x%x",
720 719 (uint32_t)mech);
721 720
722 721 #endif /* _KERNEL */
723 722 }
724 723
725 724 ctx->algotype = mech;
726 725 ctx->count.c64[0] = ctx->count.c64[1] = 0;
727 726 }
728 727
729 728 #ifndef _KERNEL
730 729
731 730 #pragma inline(SHA256Init, SHA384Init, SHA512Init)
732 731 void
733 732 SHA256Init(SHA256_CTX *ctx)
734 733 {
735 734 SHA2Init(SHA256, ctx);
736 735 }
737 736
738 737 void
739 738 SHA384Init(SHA384_CTX *ctx)
740 739 {
741 740 SHA2Init(SHA384, ctx);
742 741 }
743 742
744 743 void
745 744 SHA512Init(SHA512_CTX *ctx)
746 745 {
747 746 SHA2Init(SHA512, ctx);
748 747 }
749 748
750 749 #endif /* _KERNEL */
751 750
752 751 /*
753 752 * SHA2Update()
754 753 *
755 754 * purpose: continues an sha2 digest operation, using the message block
756 755 * to update the context.
757 756 * input: SHA2_CTX * : the context to update
758 757 * void * : the message block
759 758 * size_t : the length of the message block, in bytes
760 759 * output: void
761 760 */
762 761
763 762 void
764 763 SHA2Update(SHA2_CTX *ctx, const void *inptr, size_t input_len)
765 764 {
766 765 uint32_t i, buf_index, buf_len, buf_limit;
767 766 const uint8_t *input = inptr;
768 767 uint32_t algotype = ctx->algotype;
769 768 #if defined(__amd64)
770 769 uint32_t block_count;
771 770 #endif /* !__amd64 */
772 771
773 772
774 773 /* check for noop */
775 774 if (input_len == 0)
776 775 return;
777 776
778 777 if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
779 778 buf_limit = 64;
780 779
781 780 /* compute number of bytes mod 64 */
782 781 buf_index = (ctx->count.c32[1] >> 3) & 0x3F;
783 782
784 783 /* update number of bits */
785 784 if ((ctx->count.c32[1] += (input_len << 3)) < (input_len << 3))
786 785 ctx->count.c32[0]++;
787 786
788 787 ctx->count.c32[0] += (input_len >> 29);
789 788
790 789 } else {
791 790 buf_limit = 128;
792 791
793 792 /* compute number of bytes mod 128 */
794 793 buf_index = (ctx->count.c64[1] >> 3) & 0x7F;
795 794
796 795 /* update number of bits */
797 796 if ((ctx->count.c64[1] += (input_len << 3)) < (input_len << 3))
798 797 ctx->count.c64[0]++;
799 798
800 799 ctx->count.c64[0] += (input_len >> 29);
801 800 }
802 801
803 802 buf_len = buf_limit - buf_index;
804 803
805 804 /* transform as many times as possible */
806 805 i = 0;
807 806 if (input_len >= buf_len) {
808 807
809 808 /*
810 809 * general optimization:
811 810 *
812 811 * only do initial bcopy() and SHA2Transform() if
813 812 * buf_index != 0. if buf_index == 0, we're just
814 813 * wasting our time doing the bcopy() since there
815 814 * wasn't any data left over from a previous call to
816 815 * SHA2Update().
817 816 */
818 817 if (buf_index) {
819 818 bcopy(input, &ctx->buf_un.buf8[buf_index], buf_len);
820 819 if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE)
821 820 SHA256Transform(ctx, ctx->buf_un.buf8);
822 821 else
823 822 SHA512Transform(ctx, ctx->buf_un.buf8);
824 823
825 824 i = buf_len;
826 825 }
827 826
828 827 #if !defined(__amd64)
829 828 if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
830 829 for (; i + buf_limit - 1 < input_len; i += buf_limit) {
831 830 SHA256Transform(ctx, &input[i]);
832 831 }
833 832 } else {
834 833 for (; i + buf_limit - 1 < input_len; i += buf_limit) {
835 834 SHA512Transform(ctx, &input[i]);
836 835 }
837 836 }
838 837
839 838 #else
840 839 if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
841 840 block_count = (input_len - i) >> 6;
842 841 if (block_count > 0) {
843 842 SHA256TransformBlocks(ctx, &input[i],
844 843 block_count);
845 844 i += block_count << 6;
846 845 }
847 846 } else {
848 847 block_count = (input_len - i) >> 7;
849 848 if (block_count > 0) {
850 849 SHA512TransformBlocks(ctx, &input[i],
851 850 block_count);
852 851 i += block_count << 7;
853 852 }
854 853 }
855 854 #endif /* !__amd64 */
856 855
857 856 /*
858 857 * general optimization:
859 858 *
860 859 * if i and input_len are the same, return now instead
861 860 * of calling bcopy(), since the bcopy() in this case
862 861 * will be an expensive noop.
863 862 */
864 863
865 864 if (input_len == i)
866 865 return;
867 866
868 867 buf_index = 0;
869 868 }
870 869
871 870 /* buffer remaining input */
872 871 bcopy(&input[i], &ctx->buf_un.buf8[buf_index], input_len - i);
873 872 }
874 873
875 874
876 875 /*
877 876 * SHA2Final()
878 877 *
879 878 * purpose: ends an sha2 digest operation, finalizing the message digest and
880 879 * zeroing the context.
881 880 * input: uchar_t * : a buffer to store the digest
882 881 * : The function actually uses void* because many
883 882 * : callers pass things other than uchar_t here.
884 883 * SHA2_CTX * : the context to finalize, save, and zero
885 884 * output: void
886 885 */
887 886
888 887 void
889 888 SHA2Final(void *digest, SHA2_CTX *ctx)
890 889 {
891 890 uint8_t bitcount_be[sizeof (ctx->count.c32)];
892 891 uint8_t bitcount_be64[sizeof (ctx->count.c64)];
893 892 uint32_t index;
894 893 uint32_t algotype = ctx->algotype;
895 894
896 895 if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
897 896 index = (ctx->count.c32[1] >> 3) & 0x3f;
898 897 Encode(bitcount_be, ctx->count.c32, sizeof (bitcount_be));
899 898 SHA2Update(ctx, PADDING, ((index < 56) ? 56 : 120) - index);
900 899 SHA2Update(ctx, bitcount_be, sizeof (bitcount_be));
901 900 Encode(digest, ctx->state.s32, sizeof (ctx->state.s32));
902 901
903 902 } else {
904 903 index = (ctx->count.c64[1] >> 3) & 0x7f;
905 904 Encode64(bitcount_be64, ctx->count.c64,
906 905 sizeof (bitcount_be64));
907 906 SHA2Update(ctx, PADDING, ((index < 112) ? 112 : 240) - index);
908 907 SHA2Update(ctx, bitcount_be64, sizeof (bitcount_be64));
909 908 if (algotype <= SHA384_HMAC_GEN_MECH_INFO_TYPE) {
910 909 ctx->state.s64[6] = ctx->state.s64[7] = 0;
911 910 Encode64(digest, ctx->state.s64,
912 911 sizeof (uint64_t) * 6);
913 912 } else
914 913 Encode64(digest, ctx->state.s64,
915 914 sizeof (ctx->state.s64));
916 915 }
917 916
918 917 /* zeroize sensitive information */
919 918 bzero(ctx, sizeof (*ctx));
920 919 }
|
↓ open down ↓ |
191 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX